Global Protect client unable to access network resources until refreshed 4 -5 times

chippy_tea · March 5, 2025, 9:01pm

Setup

Pan OS 10.1.11-h4

Global Protect 6.2.3-270 configured using SSL VPN

Windows 10 and 11 multiple clients

Hi all,

We are facing a strange issue with remote users attempting to connect via Global Protect to access network resources behind the PA-220.

The issue is that when you connect to the VPN, the Global Protect client will not communicate with any resources on the network until you refresh the connection 4 - 5 times., however sometimes it will allow access to resources first time - it is sporadic, however more often than not you have to refresh the connection multiple times.

The Global Protect client will also sometimes auto disconnect and re-connect within the first minute, but this doesn’t always happen.

I have checked that Global Protect is receiving the correct IP and DNS servers which are present even when you cannot ping anything behind the PA-220. The only noticeable thing is that on the Global Protect client status window, there are are zero bytes in and zero packets in, however the bytes out and packets out increase indicating the client is attempting to talk to the gateway.

We were running a different version of the Global Protect client which was also facing the same issue.

Has anyone experienced a similar issue, or would anyone know of what may be causing this or how we can troubleshoot, I can provide logs if that helps from the client.

Thanks in advance!

Both-Delivery8225 · March 5, 2025, 9:01pm

Not sure if it relates but try disabling ipv6 on your remote machines. There was an issue not too long ago (the panos version escapes me) that turned out to be a bug having ipv6 enabled and ssl vpn.

bennoonan92 · March 5, 2025, 9:01pm

Pretty sure that version had a bug with IPv6. Disabling the PAN network adapter ipv6 was the workaround. Otherwise fixed in 10.1.13

MaxHedrome · March 5, 2025, 9:01pm

check your outbound urls for *.chime.aws traffic … probably nothing, but I’d like to know if you see it, and when your traffic starts if so

DLZ_26 · March 5, 2025, 9:01pm

Had a similar issue on 11.0.4-h1 where HIPChecks would pass for a few minutes but then fail with the DB only retaining 1 HIPCheck for any domain asset, mysteriously if using only Host-ID/Serial of the device without it being in the domain it would work without issue.

We got it fixed by upgrading to 11.1.2-h3, an alternate solution was also to down grade to 11.0.3-h10.

Seems in your case there is a later preferred release, wondering if it may be fixed. You may want to get Palo Alto engineer to answer the question if the issue has been reported. Apparently ours they are aware of the issue but had no ETA of when it would be fixed for 11.0.x so that is why they investigated and mentioned about upgrading or downgraded.

Seems not all known issues are on their bulletin.

Good luck.

Both-Delivery8225 · March 5, 2025, 9:01pm

Wanted to follow up and find out if IPv6 was your culprit?

databeestjenl · March 5, 2025, 9:01pm

We have a lot of issues with the 6.2.3 client, use 6.1.4 instead.

No_Following_2616 · March 5, 2025, 9:01pm

Dealing with Global Protect misery has spawned a cottage industry in IT. Why does everybody use it?

chippy_tea · March 5, 2025, 9:01pm

I think you are spot on - fingers crossed, I have checked on my laptop and disabled IPv6 as you suggest and it is connecting without any issue now.

I will test on user machines in the morning as it is 1.30am here,.

Thank you!